Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication

Lyastani, Sanam Ghorbani; Schilling, Michael; Neumayr, Michaela; Backes, Michael; Bugiel, Sven

doi:10.1109/sp40000.2020.00047

Cited by 44 publications

(22 citation statements)

References 41 publications

(80 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Password managers were used in about 10% of cases, which slightly exceeds previous findings, e.g. [83,61]. While reuse might be attributed to the artificial study context (even though also found in real life), the use of password managers might be more prevalent amongst MTurk workers who might be younger and/or more tech-savvy.…”

Section: Hybrid Password Meters Studycontrasting

confidence: 55%

Hybrid password meters for more secure passwords – a comprehensive study of password meters including nudges and password information

Zimmermann

Marky

Renaud

2022

Behaviour & Information Technology

View full text Add to dashboard Cite

Supporting users with secure password creation is a wellexplored yet unresolved research topic. A promising intervention is the password meter i.e. providing feedback on the user's password strength as and when it is created. However, findings related to the password meter's effectiveness are varied. An extensive literature review led us to the conclusion that, besides providing password feedback, effective password meters often also include: (a) feedback nudges to encourage stronger passwords choices, and (b) additional password guidance. A between-subjects study was carried out with 645 participants to test nine variations of password meters with different types of feedback nudges exploiting various heuristics and norms. This study explored differences in resulting passwords: (1) actual strength, (2) memorability, and (3) user perceptions. The study revealed that password feedback, in combination with a feedback nudge and additional guidance, labelled a hybrid password meter, was generally more efficacious than either intervention on its own, on all three metrics. Yet, the type of feedback nudge targeting either the person, the password creation task, or the social context, did not seem to matter much, the meters were nearly equally efficacious. Future work should focus on the short-and long-term effects of hybrid password meters in real-life settings to confirm the external validity of these findings.

show abstract

Section: Hybrid Password Meters Studycontrasting

confidence: 55%

Hybrid password meters for more secure passwords – a comprehensive study of password meters including nudges and password information

Zimmermann

Marky

Renaud

2022

Behaviour & Information Technology

View full text Add to dashboard Cite

show abstract

“…The evaluation of the enhanced warning tags was intended to gauge a preferential approach to soft moderation as well as understand the underpinning reasoning for it's acceptance (or lack thereof). A/B testing is a regular practice in usable security studies that informs the design of interface affordances, cues, and frictions [25,63,67]. Building on the exposure to contextual warning tags, a qualitative inquiry of how they fare in the misinformation front is important because the soft moderation employed by social media in general, and Twitter in particular, so far has yielded far from desirable results [39].…”

Section: Improbable Interpretations Of Facts (Ffs)mentioning

confidence: 99%

Meaningful Context, a Red Flag, or Both? Users' Preferences for Enhanced Misinformation Warnings on Twitter

Sharevski¹,

Devine²,

Pieroni³

et al. 2022

Preprint

View full text Add to dashboard Cite

Warning users about misinformation on social media is not a simple usability task. Soft moderation has to balance between debunking falsehoods and avoiding moderation bias while preserving the social media consumption flow. Platforms thus employ minimally distinguishable warning tags with generic text under a suspected misinformation content. This approach resulted in an unfavorable outcome where the warnings "backfired" and users believed the misinformation more, not less. In response, we developed enhancements to the misinformation warnings where users are advised on the context of the information hazard and exposed to standard warning iconography. We ran an A/B evaluation with the Twitter's original warning tags in a 337 participant usability study. The majority of the participants preferred the enhancements as a nudge toward recognizing and avoiding misinformation. The enhanced warning tags were most favored by the politically left-leaning and to a lesser degree moderate participants, but they also appealed to roughly a third of the right-leaning participants. The education level was the only demographic factor shaping participants' preferences. We use our findings to propose user-tailored improvements in the soft moderation of misinformation on social media. CCS CONCEPTS• Security and privacy → Social aspects of security and privacy; Usability in security and privacy.

show abstract

“…A more secure alternative could be the adoption of secure hardware-based authentication solutions, e.g. FIDO2 [11], where verification codes can be provided by external hardware devices, e.g. Yubico Security Key.…”

Section: B Multi-factor Authentication and Secure Hardware Tokensmentioning

confidence: 99%

“…The key steps of the accessibility attacks make use of Android accessibility service APIs 11 . These APIs are callable from any app that registers an accessibility service component that extends Accessi-bilityService and is granted the BIND_ACCES-SIBILITY_SERVICE permission.…”

Section: A Experiments Setupmentioning

confidence: 99%

See 1 more Smart Citation

PoPL: Proof-of-Presence and Locality, or How to Secure Financial Transactions on Your Smartphone

et al. 2021

View full text Add to dashboard Cite

The security of financial apps on smartphones is threatened by a class of advanced and persistent malware that can bypass all existing security measures. Strong cryptography and trusted onchip hardware modules are powerless against sophisticated attacks that supplant device owners through device input record/replay functionality, effectively hijacking their credentials, privileges, and actions. In this paper, we introduce Proof-of-Presence and Locality (PoPL), a new security measure that tackles this threat by leveraging sensors to prove the physical presence of device owners and therefore discriminate between malware-initiated transaction requests and legitimate ones. Moreover, PoPL neither imposes the expense of additional hardware nor compromises app usability. In order to demonstrate PoPL's practicality, we developed PoPLar, a challenge puzzle implementation of the PoPL concept that ensures usability even on limited screen sizes by the use of a dendrogram. We have made it available as an open-source library ready to be integrated with minimal effort with existing apps. We demonstrate PoPLar's effectiveness and ease of integration through case studies involving apps from the three top cryptocurrency exchanges and an open-source crypto wallet.

show abstract

Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication

Cited by 44 publications

References 41 publications

Hybrid password meters for more secure passwords – a comprehensive study of password meters including nudges and password information

Hybrid password meters for more secure passwords – a comprehensive study of password meters including nudges and password information

Meaningful Context, a Red Flag, or Both? Users' Preferences for Enhanced Misinformation Warnings on Twitter

PoPL: Proof-of-Presence and Locality, or How to Secure Financial Transactions on Your Smartphone

Contact Info

Product

Resources

About